From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Fri 30 Jan 2004 - 23:35:39 GMT
On Fri, Jan 30, 2004 at 10:40:47PM +0100, Sascha Silbe wrote:
> Hi!
> 
> While hacking on my srvtools (something similar to the vserver user space 
> tools, but with a different design), I made a frightening discovery:
> 
> root_at_hybrid:/# reducecap --secure /bin/sh -c 'getpcaps $$'
> Executing
> Capabilities for `11054': =eip cap_setpcap-eip
> root_at_hybrid:/# execcap = /bin/sh -c 'getpcaps $$'
> Capabilities for `11084': =ep cap_setpcap-ep
> root_at_hybrid:/# cat /proc/sys/kernel/cap-bound 
> 0
> root_at_hybrid:/# uname -r
> 2.4.21-hybrid-1
hmm, if this helps:
/ # reducecap --secure /bin/sh -c 'getpcaps $$'
Executing
Capabilities for `17': = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_net_bind_service,cap_sys_chroot,cap_sys_ptrace,cap_sys_tty_config,cap_lease+ep
/ # execcap = /bin/sh -c 'getpcaps $$'
Capabilities for `19': =ep cap_setpcap-ep
/ # cat /proc/sys/kernel/cap-bound
-257
/ # uname -r
2.4.25-pre7-vs1.24
/ # 
> This is exactly the same as on a capability-disabled system (where I'd 
> actually expect that behaviour):
> 
> root_at_odin:~# execcap = /bin/sh -c 'getpcaps $$'
> Capabilities for `29497': =ep cap_setpcap-ep
> root_at_odin:~# cat /proc/sys/kernel/cap-bound 
> -257
> 
> 
> Actually one of my services ("virtual servers") is running with FULL root 
> privileges now:
> 
> root_at_hybrid:/# getpcaps `vps auxww |grep '[ ]/bin/clockspeed'|tr -s ' '|cut -d ' ' -f 1`
> Capabilities for `root': =eip cap_setpcap-eip
> 
> 
> What the hell has happened to POSIX capability support in the latest 2.4 
> kernels?
what kernel aptch/tool version do you use and what
does the test script report (started on the host):
   http://vserver.13thfloor.at/Stuff/testme.sh
HTH,
Herbert
> PS: Yes, 'reducecap --show' does give the same output as 'getpcaps $$', only 
> in a much more verbose fashion.
> 
> CU/Lnx Sascha
> 
> -- 
> Registered Linux User #77587 (http://counter.li.org/)
> 
> bomb terrorist afghanistan PGP encrypt CIA FBI BND MAD StaSi anschlag strike 
> sex pussy xxx kill bj hitler Gates MS Windows ZV ZDV
> 
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver